Active Directory

Active Directory
Active Directory (AD) is a directory service created by Microsoft. Active Directory uses a number of standardized protocols to provide a variety of network services, including:

Lightweight Directory Access Protocol LDAP, the industry standard directory access protocol, compatible with many management and query applications. Active Directory supports LDAPv3 and LDAPv2.

 

Optional Kerberos-based authentication DNS-based naming and other network information

Features include:

    

Central location for network administration and security[1] Information security and single sign-on for user access to networked resources[1] The ability to scale up or down easily[1] Standardizing access to application data[1] Synchronization of directory updates across servers[1]

Active Directory stores all information and settings for a deployment in a central database. Active Directory allows administrators to assign policies, deploy and update software. Active Directory networks can vary from a small installation with a few computers, users and printers to tens of thousands of users, many different network domains and large server farms spanning many geographical locations.

History
Active Directory was previewed in 1999, released first with Windows 2000 Server edition, and revised to extend functionality and improve administration in Windows Server 2003. Additional improvements were made in Windows Server 2003 R2, Windows Server 2008 and Windows Server 2008 R2 and was renamed Active Directory Domain Services. Active Directory was called NTDS (NT Directory Service) in older Microsoft documents. This name can still be seen in some Active Directory binaries.

[edit]Structure [edit]Objects An Active Directory structure is a hierarchical arrangement of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs). Each object represents a single entitywhether a user, a computer, a printer, or a groupand its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributesthe characteristics and information that the object represents defined by a schema, which also determines the kinds of objects that can be stored in Active Directory. Each attribute object can be used to define multiple schema objects. The schema object allows the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change and/or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivatednot deleted. Changing the schema usually requires planning.
[2]

[edit]Sites A Site object in Active Directory represents a geographic location that hosts networks. Sites contain objects called subnets.[3] [edit]Forests,

trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and domain are the logical divisions in an Active Directory network. Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace. A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy. At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

Forest-Widgets Corp

Domain-Dallas

Tree-Eastern

OU-Marketing

Domain-Boston

Hewitt

Domain-New York

Aon

Domain-Philly

Steve

Tree-Southern

OU-Sales

Domain-Atlanta

Bill

Domain-Dallas

Ralph

Example of the geographical organizing of zones of interest within trees and domains.

[edit]Organizational units
[4] The objects held within a domain can be grouped into Organizational Units (OUs). OUs can provide

hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. OUs can contain other OUsdomains are containers in this sense. Microsoft recommends using OUs rather than domains for structure and to simplify the implementation of policies and administration. The OU is the recommended level at which to apply group policies, which are Active Directory objects formally named Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level at which administrative powers are commonly delegated, but delegation can be performed on individual objects or attributes as well. Organizational Units are an abstraction for the administrator and do not function as containers; the underlying domain is the true container. It is not possible, for example, to create user accounts with an identical username (sAMAccountName) in separate OUs, such as "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. This is so because sAMAccountName, a user object attribute, must be unique within the domain. As the number of users in a domain increases, conventions such as "first initial, middle initial, last name" will fail for common names like Smith, Garcia, or Lee. Workarounds include adding a digit to the end of the username or using the unique employee/student id number. Because duplicate usernames cannot exist within a domain, account name generation poses a significant challenge for large organizations that cannot be easily subdivided into separate domains, such as

students in a public school system or university who must be able to use any computer across the network.

[edit]Shadow groups

In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members of OUs can not be collectively assigned rights to directory objects.

OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. It is a separate step for an administrator to assign an object in an OU to be a member of a group that is also within that OU. Relying on OU location alone to determine access permissions is unreliable because the object may not have been assigned to the group object for that OU. A common practice is for an administrator to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5] The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]

[edit]Physical

matters

Sites are physical (rather than logical) groupings defined by one or more IP subnets.[7] AD also holds the definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g.,LAN) links. Site definitions are independent of the domain and OU structure and are common across the forest. Sites are used to control network traffic generated by replication and also to refer clients to the nearest domain controllers. Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be defined at the site level. Physically the Active Directory information is held on one or more peer domain controllers (DCs), replacing the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are not domain controllers are called Member Servers.
[8]

The Active Directory database is organized in partitions, each holding specific object types and following a specific replication pattern. AD synchronizes changes using multi-master replication.[9]Microsoft often refers to these partitions as 'naming contexts'.
[10]

The 'Schema' partition contains the definition of object

classes and attributes within the Forest. The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology). Both replicate to all domain controllers in the Forest. The 'Domain' partition holds all objects created in that domain and replicates only to Domain Controllers within its domain. So, for example, a user created in Domain A would be listed only in Domain A's domain controllers. A subset of objects in the domain partition replicate to domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the Forest.[11] Global Catalog servers replicate to themselves all objects from all domains and hence, provide a global listing of objects in the forest. However, in order to minimize replication traffic and to keep the GC's database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS). The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[12]Earlier versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and requires TCP/IPDNS. To be fully functional, the DNS server must support SRV resource records or service records. [edit]Replication Active Directory replication is 'pull' rather than 'push', meaning that replicas pull changes from the server where the change was effected.
[13]

The Knowledge Consistency Checker (KCC) creates a replication

topology of site links using the defined sites to manage traffic. Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification by default, although this is configurable and can be made identical to intrasite replication.

Each link can have a 'cost' (e.g., DS3, T1, ISDN etc.) and the site link topology will be altered accordingly by the KCC. Replication may occur transitively through several site links on same-protocolsite link bridges, if the cost is low, although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site replication can be configured to occur between a bridgehead server in each site, which then replicates the changes to other DCs within the site. Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites you can use SMTP for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global Catalog) NCs. SMTP cannot be used for replicating the default Domain partition.[14] [edit]Database The Active Directory database, the directory store, in Windows 2000 Server uses the JET Bluebased Extensible Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals) in each domain controller's database. Microsoft has created NTDS databases with more than 2 billion objects.
[15]

(NT4's Security Account Manager could support no more than 40,000

objects). Called NTDS.DIT, it has two main tables: the data table and the link table. In Windows Server 2003 a third main table was added for security descriptor single instancing.[15] [edit]Programmatic

interface

The features of Active Directory may be accessed programmatically via the COM interfaces provided by Active Directory Service Interfaces.[16] [edit]Single

server operations

Flexible Single Master Operations (FSMO, sometimes pronounced "fizz-mo") operations are also known as operations master roles. Although domain controllers operate allow simultaneous updates in multiple places, certain operations are supported only on a single server. These operations are performed using the roles listed below:

Role Name

Scope

Description

Schema Master 1 per forest

Schema modifications

Domain 1 per forest Naming Master Addition and removal of domains if present in root domain

Provides backwards compatibility for NT4 clients for PDC operations (like password changes). The PDC runs domain specific processes such as the PDC Emulator 1 per domain Security Descriptor Propagator (SDPROP), and is the master time server within the domain. It also handles external trusts, the DFS consistency check, holds current passwords and manages all GPOs as default server.

Allocates pools of unique identifiers to domain controllers for use when RID Master 1 per domain creating objects

Synchronizes cross-domain group membership changes. The infrastructure Infrastructure Master 1 per master cannot run on a global catalog server (GCS) (unless all DCs are also domain/partition GCs, or environment consists of a single domain). [edit]Trust To allow users in one domain to access resources in another, Active Directory uses trusts.[17] Trusts inside a forest are automatically created when domains are created. The forest sets the default boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest. [edit]Terminology One-way trust One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust Two domains allow access to users on both domains. Trusting domain The domain that allows access to users from a trusted domain. Trusted domain The domain that is trusted; whose users have access to the trusting domain. Transitive trust A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive trust A one way trust that does not extend beyond two domains.

Explicit trust A trust that an admin creates. It is not transitive and is one way only. Cross-link trust An explicit trust between domains in different trees or in the same tree when a descendant/ancestor (child/parent) relationship does not exist between the two domains. Shortcut Joins two domains in different trees, transitive, one- or two-way Forest Applies to the entire forest. Transitive, one- or two-way Realm Can be transitive or nontransitive, one- or two-way External Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[18] Windows 2000 Server supports two-way transitive and one-way intransitive trusts. Administrators can create shortcuts. Windows Server 2003 the forest root trust. This trust can be used to connect Windows Server 2003 forests if they are operating at the 2003 forest functional level. Authentication across this type of trust is Kerberos based (as opposed to NTLM). Forest trusts are transitive for all the domains in the trusted forests. Forest trusts, however, are not transitive.

Lightweight Directory Services

AD LDS is a light-weight implementation of Active Directory. LDS is capable of running as a service on computers running Microsoft Windows Server. LDS shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers. Like Active Directory, LDS provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple LDS instances can be run on the same server. Before Windows Server 2008, LDS was named Active Directory Application Mode (ADAM).[19]

Unix integration
Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating systems through standards-compliant LDAP clients, but these systems usually do not interpret many attributes associated with Windows components, such as Group Policy and support for one-way trusts.

Third-parties offer Active Directory integration for Unix platforms (including UNIX, Linux, Mac OS X, and a number of Java- and UNIX-based applications), including Centrify (DirectControl), Computer Associates (UNAB), CyberSafe Limited (TrustBroker), Thursby Likewise Software Software (Open or
[20][21]

Enterprise), Quest and open

Software (Authentication

Services)

Systems

(ADmitMac)

sourcesoftware Samba can act as a peer Active Directory domain controller.

The schema additions shipped with Windows Server 2003 R2 include attributes that map closely enough to RFC 2307 to be generally usable. The reference implementation of RFC 2307, nss_ldap and pam_ldap provided by PADL.com, support these attributes directly. The default schema for group membership complies with RFC 2307bis (proposed).[22] Windows Server 2003 R2 includes aMicrosoft Management Console snap-in that creates and edits the attributes. An alternate option is to use another directory service such as 389 Directory Server (formerly Fedora Directory Server, FDS) or Sun Microsystems Sun Java System Directory Server, which can perform twoway synchronization with AD and thus provide a "deflected" integration, as Unix and Linux clients authenticate to FDS and Windows Clients authenticate to AD. Another option is to useOpenLDAP with its translucent overlay, which can extend entries in any remote LDAP server with additional attributes stored in a local database. Clients pointed at the local database see entries containing both the remote and local attributes, while the remote database remains completely untouched. Active Directory can be automated
[23] [citation needed]

by Powershell.

[citation needed

Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory.

There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

Attributes are defined separately from classes. Each attribute is defined only once and can be

used in multiple classes. For example, the Description attribute is used in many classes, but is definedonce in the schema, assuring consistency.
"So we might have objects that reside both in OU's and Containers or can they be present only in one of these at any point in time ?"

Object can only reside in ONE OU or container at any time. It can't exist in both places.
What is Restoring Active Directory?

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted. Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restorereplicated data from a backup copy. For this restore you don?t need to configure again your domain controller or no need to install the operating system from scratch
Is the extention .com required or necessary in AD naming? Is .you or .org allowable? .com implies an HTTP protocol, doesn't it?"

here are several schools of thought on this. The reality of it is that there is no restriction on what you use for your AD domain names. Many companies use their DNS namespace as a part of their AD domain name root. For example, Contoso might have Contoso.com as their external domain space for their WWW site and other applications, but internally they may have "corp.Contoso.com" as the root of their Active Directory namespace.

Back to group policy for a moment... I understand distributing software packagesvia the AD infrastructure is also supported. What are the possible deploymenttargets? Only OUs, or can these packages be targeted at single users or computers, or the entire domain?"

Group Policy can be applies at 3 levels. Sites, Domains, or OU's. When planning software deploymentsgenerally we deploy them to the OU level. It is possible to filter group policies so that only a single user or group of users receive the software you are deploying.
I want to setup a DNS server and Active Directory domain. What do I do first? If Iinstall the DNS service first and name the zone 'name.org' can I name the AD domain 'name.org' too?

Not only can you have a DNS zone and an Active Directory domain with the same name, it's actually the preferred way to go if at all possible. You can install and configure DNS before installing Active Directory, or you can allow the Active Directory Installation Wizard (dcpromo) itself install DNS on your server in the background.
How do I design two Active Directory domains in a client network?

For Windows Server 2003, your best bet is going to be the Deployment Kit. The section on "Deploying Network Services" will assist you in designing and installing your DNS servers, and the section on "Designing and Deploying Directory and Security Services" will assist you with deploying Active Directoryand configuring trust relationships.

What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By

using Group Policy, you can define the state of a user?s work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire

organization or to specific groups of users and computers. Group Policy Advantages

You can assign group policy in domains, sites and organizational units.

All users and computers get reflected by group policy settings in domain, site and organizational unit. No one in network has rights by to default change only

the settings of Group

policy;

administrator has full privilege to change, so it is very Policy settings can rewrite Where Group GPO?s secure. be removed and can further the store Group changes. Policy Information their Group locations: is an Active

Policy objects in

store two The GPC

Policy information Group

Policy Container:

Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO.

Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and administrative information, security, including software

templates,

installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain

the settings. The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain Managing To avoid conflicts in replication, consider controller is systemrootSYSVOLsysvol. GPOs the

selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent

replication techniques to replicate GPO data among all domain controllers in the domain. If two

administrator?s changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses administrators controller. WMI Filter the can PDC work Emulator on the so same that all

domain

WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available.

Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is

false,Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO.

You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository.

Planning a Group Policy Strategy for the Enterprise When you plan an Active Directory structure, create a plan for GPO inheritance, administration, and deployment that provides the most efficient Group Policy management Also consider how for you your will organization. implement Group

Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration. GPOs

Planning

Create GPOs in way that provides for the simplest and most manageable design ? one in which you can use inheritance for and multiple Planning links. GPOs

Guidelines

Apply GPO settings at the highest level: This way, you take advantage what of Group Policy inheritance. the

Determine

common

GPO settings for

largest container are starting with the domain and then link the GPO to this container.

Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links Create of the same GPO at Use a deeper level. these GPOs

specialized

GPOs:

to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these GPOs.

specialized

Disable

computer

or

use

configuration settings:

When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area.
How do I determine if user accounts have local

administrative access?

You can use the net localgroup administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the

Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of

Administrators to only those users you want to belong.

What is the order in which GPOs are applied?

Local,

Site,

Domain,

OU

Group Policy settings are processed in the following order: 1:Local Group Policy object-each computer has exactly

one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the

lowest link order is processed last, and therefore has the highest precedence. 4:Organizational unit units-GPOs that is that are linked in to the

organizational

highest

the Active

Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user At the or level of computer each are unit in processed. the Active

organizational

Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their

processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which

overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely Name Microsoft a few released benefits the Group of aggregated.) using GPMC.

Policy Management

Console (GPMC) years ago, which is an amazing innovation in Group over Group Easy Policy management. Policy in of all The the GPOs tool provides control manner: entire Active

following across the

administration

Directory Forest View of all GPOs in one single list

Reporting of GPO settings, security, filters, delegation, etc. Control of GPO inheritance with Block Inheritance, Enforce, and Security Delegation Filtering model

Backup Migration of

and GPOs across

restore different

of domains and

GPOs forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following: Role based delegation of GPO management

Being edited in desktops

production, potentially and

causing damage to servers

Forgetting to back up a GPO after it has been modified Change management of each modification to every GPO

How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

Simply use the Group Policy Management Console created by MS for that very purpose, allows you to run simulated policies on computers or users to determine what policies are enforced. Link in What are administrative sources templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment.

Administrative Templates facilitate the management of registrybased policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and

wuau.adm). These are merged into a unified ?namespace? in GPEdit and presented to the administrator under the

Administrative Templates node (for both machine and user policy). What?s the difference between software publishing and

assigning? ANS An administrator can either assign or publish

software applications. Assign Users

The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with Assign the software application. Computers

The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted. Publish to users

The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application.

Published applications do not reinstall themselves in the event of accidental computers.

What is Active Directory?

deletion, and it

is

not

possible to publish to

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000. An active directory (sometimes referred to as an AD) does a variety of functions including the ability to rovide information on objects, helps organize these objects for easy retrieval and access, allows access by

end users and administrators and allows the administrator to set security up for the directory.

Active Directory is a hierarchical collection of network resources that can contain users, computers, printers, and other Active

Directories. Active Directory Services (ADS) allow administrators to handle and maintain all network resources from a single location . Active database.
How do I use Registry keys to remove a user from a group?

Directory stores

information

and settings in

central

n Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory.
What are the differences between OU's and Containers?

An organizational unit is a heirarchical object component of Active Directory while a container is simply a holding area for objects until we decide which OU they should be a part of.

Another benefit of OUs over Containers is that OUs can have policy (Group Policy) applied to them; containers can not. And you can delegate administration to OUs, but not to containers.

Windows Server 2003 Active Directory and Security questions

By admin | December 7, 2003

1.

2.

Whats the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains. I am trying to create a new universal user group. Why cant I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

3. 4. 5. 6. 7. 8. 9.

What is LSDOU? Its group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units. Why doesnt LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies. Where are group policies stored? %SystemRoot%System32\GroupPolicy What is GPT and GPC? Group policy template and group policy container. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame> User Configuration> Windows Settings> Remote Installation Services> Choice Options is your friend. Whats contained in administrative template conf.adm? Microsoft NetMeeting policies How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer. Whats the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files. What can be restricted on Windows Server 2003 that wasnt there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters. How frequently is the client policy refreshed? 90 minutes give or take. Where is secedit? Its now gpupdate. You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry. How do you fight tattooing in NT/2000 installations? You cant. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates System - Group Policy - enable - Enforce Show Policies Only. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline. Whats the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files. How do FAT and NTFS differ in approach to user shares? They dont, both have support for sharing. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user cant drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run window.

10. 11. 12.

13. 14.

15. 16. 17. 18.

19. 20. 21. 22.

23. 24. 25.

26. For a user in several groups, are Allow permissions restrictive or permissive?Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission. 27. For a user in several groups, are Deny permissions restrictive or permissive?Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions. 28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL. 29. Whats the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders. 30. Were using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares. 31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers. 32. Can you use Start->Search with DFS shares? Yes. 33. What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS. 34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you cant. Install a standalone one. 35. Is Kerberos encryption symmetric or asymmetric? Symmetric. 36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key. 37. What hashing algorithms are used in Windows 2003 Server? RSA Data Securitys Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash. 38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities. 39. Whats the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that its the Administrator account, not any account thats part of the Administrators group. 40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes. 41. Whats the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. 42. How many passwords by default are remembered when you check "Enforce Password History Remembered"? Users last 6 passwords.